You should implement best practices to secure client systems.

Make sure that client systems are configured to go to sleep after a period of inactivity and require users to enter a password before the computer awakens.

Require users to enter a username and password when starting client systems. Do not configure client systems to allow automatic logins.

For Mac client systems, consider setting different passwords for the Keychain and the user account. When the passwords are different, users are prompted before the system enters any passwords on their behalf. Also consider turning on FileVault protection.

Local mode client systems might have more network access when they are running in local mode than when they are remote and connected to the intranet. Consider enforcing intranet network security policies for local mode client systems or disable network access for local mode client systems when they are running in local mode.